[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]
Subject: Re: [xacml] Agenda for November 15 Telecon...
Hi Bill, sorry for the delay was on travel. i have not completely understood the examples (also since the allow/deny semantics is not unique). for instance, in Apache you state how to interpret the allow/deny by specifying one of two possible interpretation (meaning: "order deny/allow" or "order allow/deny"). given that the concall will be in two hours we can discuss it by phone. with respect to > deny message if the content contains: (^debt|[ ]debt) ? i am not sure where to query the content of the message (action? resource? environment?). suppose it is a parameter of the action 1) an ONLY IF rule with an action expression evaluating "content contains: (^debt|[ ]debt)" and after the ONLY IF the condition "false" 2) an ONLY IF rule with no conditions before the ONLY IF and with condition "NOT (content contains: (^debt|[ ]debt))" after the only if. is this making sense? we can talk more in the concall. best -p On Tue, 20 Nov 2001, bill parducci wrote: > i am having trouble coming to grips with this concept in a practical sense. > > here is an example of something that i work with on a regular basis: > content filtering. > > let's suppose that i want to use a PEP to filter e-mail/news/media > feeds, etc. based upon content. here are some examples: > > ALLOW (the easy stuff) > ---------------------- > ^From.*root\@.*(mydomain\.net|(mydomain|yourdomain|hisdomain|herdomain)\.com) > ^From.*xacml\@lists.oasis-open\.org > > DENY > ---- > ^Subject:.*LOVEYOU > ^Subject:.*invest.in.credit.card > ^Subject:.*[sS]av((e)|(ings))?.up.to > > DENY ('score' based, may require multiple hits to deny) > ---------------------------------------------------- > Content: [(no)?(without)?].obligation > Content: over.(18|eighteen) > Content: bargain > Content: (^debt|[ ]debt) > Content: save.big > Content: no.*fee > > this is a small sample of the hundreds (if not thousands) of conditions > that can be used (i personally have hundreds). conversely, the number of > possible character combinations comprising a request is litterally > infinite. describing the ALLOWs is easy, but how does one generate a > policy that says: > > deny message if the content contains: (^debt|[ ]debt) ? > > thanks > > b > > > Pierangela Samarati wrote: > > > Hi > > > > as mentioned in the concall today al the last policy committee > > call we discussed the issue of positive (meaning permissions; e.g., > > "this principal can access this resource") and negative authorizations > > (meaning denials: "this principal cannot access this resources"). > > While it is true that you cannot do with permissions alone (many cases > > call for more flexibility), it is also true that having denials > > complicates the framework (mostly also since when you start having > denials > > you start thinking of the different semantics that they can carry - and > > that who specified the rule may have intended). > > > > i had proposed an alternative solution inspired by a recent work, which > > goes as follows. Distinguish two kinds of rules: > > > > 1) the ones that specify sufficient conditions (which are the permissions > > above) > > > > 2) the ones that specify necessary conditions. > > > > instead of repeating descriptions and examples here, i am attaching you a > > file of that work where the two forms of rules are introduced (Section > > 4.2). Of course our language is different as more expressive; but that > > gives the idea. > > > > only one thing, what i call "subject" > > there is our "principal", what i call "object" is our "resource" > > > > pls just send me email (or post the group) for any clarification that may > > be needed, and any comments. > > > > best > > -p > > > ---------------------------------------------------------------- > To subscribe or unsubscribe from this elist use the subscription > manager: <http://lists.oasis-open.org/ob/adm.pl> >
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]
Powered by eList eXpress LLC